Fix for PHPmailer Vulnerability for phpFox v3.9

We were asked about how to implement the patch for the PHPmailer vulnerability mentioned here. That fix worked in v3.9 but not for SMTP sites. Here’s the fix for SMTP sites. We’ve tested it on our two live sites.

WARNING!! This is a source edit! You assume all responsibility for source edits!

If you don’t feel comfortable doing this, contact us via our support and we will give you a price to do it for you. We are not charging much for this service.

First, grab the latest PHPmailer files. I just download the Github zip archive by first checking the latest release shown and then going to this link but replacing the numbers with the current release numbers:

https://github.com/PHPMailer/PHPMailer/archive/v5.2.22.zip

As of this article, the latest version seen above and at the Github is 5.2.22.

Extract (unzip) the files to your computer.

The safest thing to do is to rename the current files on the server so that you can revert if this doesn’t work for your site. Different hosting environments might work differently and so it’s best to have a backup of files being changed.

On your server, find:

include/library/phpmailer and rename that folder to phpmailerbu

Create a new folder that you’ll be uploading the latest PHPmailer files to:

include/library/phpmailer

Open the folder on your computer that should be named PHPMailer(version).zip where (version) is the number of the version you downloaded from GitHub.

Upload the files that are inside that folder into the phpmailer folder you just made. Do NOT upload the PHPMailer(version)/ folder itself as you must upload only the files that are INSIDE that folder to your server.

Now you need to edit a source file.

On your server, find:

include/library/phpfox/mail/driver/phpmailer/smtp.class.php and make a copy of it that you could name smtpbu.class.php .

Open the smtp.class.php file and at the top, around line 7, add the following:

Save that file and upload it to your server if you downloaded it to work on it. If you worked directly on the file on the server, you just need to save it.

Clear your site cache.

Test by using your contact form and see if it works. If it doesn’t work, double check the steps shown and make sure you followed them all. Make sure that PHPmailerAutoload.php file is on the server as it was included in the GitHub download. If you don’t see it, go grab it from GitHub and load it to that phpmailer folder.

This works fine on our live sites, as mentioned above. If you have questions about this, please ask in this thread.